FCC Set to Begin Voluntary Cybersecurity Labeling Program for IoT Products

Under the final rule, which takes effect Aug. 29, wireless consumer IoT products that meet the applicable requirements will be eligible to bear a U.S. Cyber Trust Mark logo, as well as a QR code that directs consumers to information about the security of the product. Applicants will have to seek approval from third-party “label administrators” that have been FCC-approved, contingent on testing from FCC-approved labs.

To use the label, applicants will have to certify “under penalty of perjury” that the products they would label aren’t on the Bureau of Industry and Security’s Entity List or the Defense Department’s List of Chinese Military Companies, and that the product isn’t “owned or controlled by” a party suspended or debarred from government procurement, among other things.

Failure to disclose any noncompliance with the program’s requirements within 20 days would result in termination of authorization to use the label, and “subject the applicant to other enforcement measures.” Applicants are required to update their declarations or withdraw them if “any of the applicant’s circumstances impacting the declarations materially change while the application is pending.”

Only consumer IoT products are eligible for the certification program, though the FCC said in the rule that it won’t “foreclose expansion of the IoT Labeling Program at a later date.” Examples of covered products include home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, garage door openers, and baby monitors.

Products ”primarily intended to be used in manufacturing, healthcare, industrial control, or other enterprise applications" aren’t eligible for the program, the FCC said. FDA-regulated medical devices aren’t eligible, nor are motor vehicles and motor vehicle equipment, equipment on the FCC’s Covered List, or wired IoT devices.